Chapter 1Purpose, definitions, substantive scope and extent
of the Act

Section 1
Purpose of the Act

The purpose of this Act is to
contribute towards providing public health services and the public
health administration with information and knowledge without
violating the right to privacy, so as to ensure that medical
assistance may be provided in an adequate, effective manner.
Through research and statistics, the Act shall contribute towards
information on and knowledge of the state of public health, causes
of impaired health and illness trends for administration, quality
assurance, planning and management purposes. The Act shall ensure
that personal health data are processed in accordance with
fundamental respect for the right to privacy, including the need to
protect personal integrity and respect for private life and ensure
that personal health data are of adequate quality.

Section 2
Definitions

For the purposes of this Act, the
following definitions shall apply:

personal health data: any information subject to the duty of
confidentiality pursuant to the Health Personell Act section 21 and
other information and assessments regarding health matters or that
are significant for health matters, that may be linked to a natural
person,

de-identified personal health data: personal health data from
which the name, personal identity number and other characteristics
serving to identify a person have been removed, so that the data
can no longer be linked to a natural person, and where the identity
can only be traced through alignment with the same data that were
previously removed,

anonymous data: data from which the name, personal identity
number and other characteristics serving to identify a person have
been removed, so that the data can no longer be linked to a natural
person,

pseudonymous health data: personal health data in which the
identity has been encrypted or otherwise concealed, but nonetheless
individualized so that it is possible to follow each person through
the health system without his identity being revealed,

processing of personal health data: any use of personal health
data for a specific purpose, such as collection, recording,
alignment, storage and disclosure or a combination of such
uses,

health data filing system established for therapeutic purposes:
a system of patient records and information or other personal
health data filing system for the purpose of providing a basis for
acts that have preventive, diagnostic, therapeutic,
health-preserving or rehabilitative objective in relation to the
individual patient and that are performed by health personnel, and
the administration of such acts,

data controller: the person who determines the purpose of the
processing of personal health data and which means are to be used,
unless responsibility for such data control is specially prescribed
in the Act or in regulations laid down pursuant to the Act,

data processor: the person who processes personal health data
on behalf of the controller,

the data subject: the person to whom personal health data may
be linked,

consent: any freely given, specific and informed declaration by
the data subject to the effect that he or she agrees to the
processing of personal health data relating to him or her.

Section 3
Substantive scope of the Act

This Act shall apply to

processing of personal health data in the public health
administration and public health services that takes place wholly
or partly by automatic means to achieve the purposes set out in
section 1, and

other processing of personal health data in the public health
administration and public health services for such purposes, when
the personal health data are part of or are intended to be part of
a personal health data filing system.

This Act shall apply to both public
and private activities.

The King in Council may by
regulations decide that this Act or parts of this Act shall apply
to the processing of personal health data outside the public health
administration and public health services in order to fulfil the
purposes set out in section 1.

Section 4
Territorial extent of the Act

This Act shall apply to data
controllers who are established in Norway. The King may by
regulations decide that the Act shall wholly or partly apply to
Svalbard and Jan Mayen, and lay down special rules regarding the
processing of personal health data for these areas.

This Act shall also apply to data
controllers who are established in states outside the territory of
the EEA if the controller makes use of technical equipment in
Norway. However, this shall not apply if such equipment is used
only to transfer personal health data through Norway.

Controllers such as are mentioned
in the second paragraph shall have a representative who is
established in Norway. The provisions that apply to the controller
shall also apply to the representative.

Personal health data may only be
processed by automatic means when this is permitted pursuant to
sections 9 and 33 of the Personal Data Act, or it is so provided by
statute and is not prohibited on other special legal grounds. The
same applies to other processing of personal health data, if the
data are part of or are intended to be part of a personal health
data filing system.

The obligation to obtain a licence
pursuant to section 33 of the Personal Data Act shall not apply to
the processing of personal health data that takes place pursuant to
regulations laid down pursuant to sections 6 to 8. Before personal
health data may be obtained for processing pursuant to the first
paragraph, the data subject must give his consent, unless otherwise
provided by or pursuant to statute.

Sections 4-3 to 4-8 of the
Patients’ Rights Act shall apply correspondingly to consent
pursuant to this Act. Children between 12 and 16 years of age may
themselves make decisions regarding consent if, for reasons that
should be respected, the patient does not wish the data to be made
known to his parents or other persons with parental
responsibility.

Personal health data filing systems
established for therapeutic purposes may be kept by automatic
means. It shall be evident from the filing system who has recorded
the data. This may be done by means of an electronic signature or
corresponding secure documentation.

Regional health enterprises and
health enterprises, municipalities and other public or private
establishments which make use of personal health data filing
systems established for therapeutic purposes shall be data
controllers. The enterprise and the municipality may delegate
responsibility for controlling the data.

The King may by regulations
prescribe further rules regarding the processing of personal health
data in personal health data filing systems established for
therapeutic purposes, including rules regarding the approval of
software and other matters as mentioned in section 16, fourth
paragraph.

Section 7
Regional and local personal health data filing systems

No regional or local personal
health data filing systems may be established other than those
authorized by this Act or another statute.

The King in Council may by
regulations prescribe further rules regarding the establishment of
regional personal health data filing systems and the processing of
personal health data in such filing systems in order to perform
functions pursuant to the Communicable Diseases Control Act, the
Specialized Health Services Act and the Dental Health Services Act.
The name, personal identity number or other characteristics that
directly identify a natural person may only be processed with the
consent of the data subject. The latter’s consent is not necessary
if the regulations provide that the personal health data may only
be processed in pseudonymized or de-identified form. The
regulations shall state the purpose of the processing of the
personal health data, which data may be processed, and, if
appropriate, prescribe further rules as to who shall effect the
pseudonymization and principles for how this shall be done. The
regional health enterprise is the data controller, unless otherwise
provided by the regulations. Responsibility for controlling the
data may be delegated.

The King in Council may by
regulations prescribe further rules regarding the establishment of
local personal health data filing systems and the processing of
personal health data in such filing systems in order to perform
functions pursuant to the Municipal Health Services Act and the
Communicable Diseases Control Act. The name, personal identity
number or other characteristics that directly identify a natural
person may only be processed with the consent of the data subject.
The latter’s consent is not necessary if the regulations provide
that the personal health data may only be processed in
pseudonymized or de-identified form. The regulations shall state
the purpose of the processing of the personal health data, which
data may be processed, and if, appropriate, prescribe further rules
as to who shall effect the pseudonymization and principles for how
this shall be done. The municipality is the data controller, unless
otherwise provided by the regulations. Responsibility for
controlling the data may be delegated.

Section 8
Central personal health data filing systems

No central personal health data
filing systems may be established other than those authorized by
this Act or another statute.

The King in Council may by
regulations prescribe further rules regarding the establishment of
central personal health data filing systems and the processing of
personal health data in such filing systems in order to perform
functions pursuant to the Pharmacies Act, the Municipal Health
Services Act, the Dental Health Services Act, the Communicable
Diseases Control Act and the Specialized Health Services Act,
including the general management and planning of services, quality
improvement, research and statistics. The name, personal identity
number or other characteristics that directly identify a natural
person may only be processed with the consent of the data subject.
The latter’s consent is not necessary if the regulations provide
that the personal health data may only be processed in
pseudonymized or de-identified form. If appropriate the regulations
shall prescribe further rules regarding who shall effect the
pseudonymization and principles for how this shall be done.

In the following personal health
data filing systems , the name, personal identity number and other
characteristics that directly identify a natural person may be
processed without the consent of the data subject insofar as this
is necessary to achieve the purpose of the filing system :

The Causes of Death Registry

The Cancer Registry

The Medical Birth Registry

The System of Surveillance of Infectious Diseases

The Central Tuberculosis Surveillance Registry

The System for Immunization Surveillance and Control
(SYSVAK)

The King in Council may by
regulations prescribe further rules regarding the processing of the
personal health data in the personal health data filing
systems.

Pursuant to the second and third
paragraphs, the regulations shall state the purpose of the
processing of the personal health data and which data shall be
processed. Moreover, the regulations shall state who shall be data
controller.

Responsibility for controlling the
data may be delegated. The regulations should also prescribe rules
regarding the duty of the data controller to make data available so
that the purposes may be achieved.

Establishments and health personnel
who offer or provide services in accordance with the Pharmacies
Act, the Municipal Health Services Act, the Communicable Diseases
Control Act, the Specialized Health Services Act or the Dental
Health Services Act have an obligation to disclose or transfer data
as prescribed in regulations pursuant to sections 7 and 8 and to
this section.

The King may prescribe regulations
regarding the collection of personal health data pursuant to
sections 7 and 8, including rules regarding who shall give and
receive data and regarding time limits, requirements as regards the
form in which the data is to be provided and reporting forms. The
recipient of the data shall notify the person sending the data if
the data are deficient.

The Ministry may by regulations or
by administrative decision order regional health enterprises and
health enterprises, counties and municipalities to report
de-identified or anonymous data for statistical purposes, including
issuing further rules regarding the use of standards,
classification systems and coding systems.

All processing of personal health
data shall have an explicitly stated purpose that is objectively
justified by the activities of the data controller. The controller
shall ensure that the personal health data that are processed are
relevant to and necessary for the purpose of the processing of the
data.

Personal health data may only be
used for purposes other than the provision of medical assistance
for the individual patient or for the administration of such
assistance when it is necessary for the person to be identifiable
in order to achieve these purposes. Reasons shall always be given
for why it is necessary to use data relating to an identifiable
person. Pursuant to section 31, the supervisory authority may
require that the data controller present the reasons.

Personal health data may not be
used for purposes that are incompatible with the original purpose
of the collection of the data without the consent of the data
subject.

Section 12
Alignment of personal health data

Personal health data in personal
health data filing systems established for therapeutic purposes may
be aligned with data relating to the same patient in another
personal health data filing system established for therapeutic
purposes to the extent that the personal health data may be
disclosed pursuant to sections 25, 26 and 45 of the Health
Personnel Act. The said personal health data may also be aligned
with data from the national population register relating to the
data subject.

Personal health data collected
pursuant to section 9 may be aligned in accordance with further
rules prescribed in regulations laid down pursuant to sections 7
and 8.

Beyond what is authorized by the
first and second paragraphs, personal health data may only be
aligned when this is authorized pursuant to sections 9 and 33 of
the Personal Data Act.

Section 13
Access to personal health data in the data controller’s and the
data processor’s institution

Only the data controller, the data
processors and persons working under the instructions of the
controller or the processor may be granted access to personal
health data. Access may only be granted insofar as this is
necessary for the work of the person concerned and in accordance
with the rules that apply regarding the duty of confidentiality

Section 14
Disclosure of personal health data

Personal health data may be
disclosed or transferred for alignment that is authorized pursuant
to section 12. Aligned personal health data may, after the name and
personal identity number have been removed, be disclosed or
transferred to an enterprise as decided by the Ministry, when the
purpose is to de-identify or anonymize the data.

Personal health data may, moreover,
be disclosed or transferred when disclosure or transfer is
authorized by or pursuant to statute, and the recipient of the data
is authorized to process them pursuant to the Personal Data
Act.

Section 15
Duty of confidentiality

Any person who processes personal
health data pursuant to this Act has a duty of confidentiality
pursuant to sections 13 to 13 e of the Public Administration Act
and the Health Personnel Act.

The duty of confidentiality
pursuant to the first paragraph also applies to the patient’s place
of birth, date of birth, personal identity number, pseudonym,
nationality, civil status, occupation, residence and place of work.
Data may only be given to other administrative agencies pursuant to
section 13 b, nos. 5 and 6, of the Public Administration Act when
this is necessary to facilitate the fulfilment of tasks pursuant to
this Act, or to prevent significant danger to life or serious
injury to a person’s health.

The data controller and the data
processor shall by means of planned, systematic measures, ensure
satisfactory data security with regard to confidentiality,
integrity, quality and accessibility in connection with the
processing of personal health data.

To achieve satisfactory data
security, the controller and the processor shall document the data
system and the security measures. Such documentation shall be
accessible to the employees of the controller and of the processor.
The documentation shall also be accessible to the supervisory
authorities.

Any controller who allows other
persons to have access to personal health data, e.g. a data
processor or other persons performing tasks in connection with the
data system, shall ensure that the said persons fulfil the
requirements set out in the first and second paragraphs.

The King may prescribe regulations
regarding data security in connection with the processing of
personal health data pursuant to this Act. The King may for
instance set further requirements as regards electronic signatures,
communication and long-term storage, the authorization of software
and the use of standards, classification systems and coding
systems, and which national or international system of standards
shall be followed.

Section 17
Internal control

The data controller shall establish
and maintain such planned and systematic measures as are necessary
to fulfil the requirements laid down in or pursuant to this Act,
including measures to ensure the quality of personal health
data.

The controller shall document the
measures. The documentation shall be accessible to the employees of
the controller and of the processor. The documentation shall also
be accessible to the supervisory authorities.

The King may by regulations
prescribe further rules regarding internal control.

Section 18
The data processor’s right of disposition over personal health
data

No data processor may process
personal health data in any way other than that which is agreed in
writing with the data controller. Nor may the data be handed over
to another person for storage or manipulation without such
agreement. It shall also be stated in the agreement with the
controller that the processor undertakes to carry out such security
measures as ensue from section 16.

Section 19
Time limit for replying to inquiries, etc.

The data controller shall reply to
inquiries regarding access or other rights pursuant to sections 21,
22, 26 and 28 without undue delay and not later than 30 days from
the date of receipt of the inquiry.

If special circumstances should
make it impossible to reply to the inquiry within 30 days,
implementation may be postponed until it is possible to reply. In
such case, the controller shall give a provisional reply stating
the reason for the delay and when a reply is likely to be
given.

Chapter 4The data controller’s duty to provide information
and the data subject’s right to access

Section 20
Information to the general public regarding the processing of
personal health data pursuant to sections 7 and 8 of this
Act

When personal health data are
processed in accordance with regulations laid down pursuant to
sections 7 and 8, the controller shall on his own initiative inform
the general public about what kind of processing of personal health
data is being carried out.

Section 21
Right to general information on personal health data filing
systems and processing of personal health data

Any person who so requests shall be
informed of the kind of processing of personal health data a data
controller is performing, and may demand to receive the following
information as regards a specific type of processing:

the name and address of the controller and of his
representative, if any,

who has the day-to-day responsibility for fulfilling the
obligations of the controller,

3.the purpose of the processing of
the personal health data,

4.descriptions of the categories of
personal health data that are processed,

the sources of the data, and

whether the personal health data will be disclosed, and if so,
the identity of the recipient.

The information may be demanded
from the controller or from his processor as mentioned in section
18.

Section 22
Right of access

Any person who so requests has a
right of access to personal health data filing systems established
for therapeutic purposes insofar as this is authorized by section
5-1 of the Patients’ Rights Act and section 41 of the Health
Personnel Act.

When personal health data are
processed pursuant to sections 5, 7 and 8, the data subject has the
right, upon inquiry, in addition to the information specified in
section 21, first paragraph, to be informed of:

the categories of data concerning the data subject that are
being processed, and

the security measures implemented in connection with the
processing insofar as such access does not prejudice security.

The data subject may also demand
that the data controller elaborate on the information in section
21, first paragraph, to the extent that this is necessary to enable
the data subject to protect his or her own interests.

Information pursuant to the first
and second paragraphs may be demanded in writing from the
controller or from his processor as mentioned in section 18. The
person who is requested to grant access may demand that the data
subject submit a written, signed request.

The King may by regulations issue
further rules regarding the right of access to the processing of
personal health data pursuant to the second and third paragraphs.
If special reasons make this necessary, the King may issue
regulations to the effect that the data subject must pay
compensation to the controller. The compensation may not exceed the
actual costs of complying with the demand.

Section 23
Obligation to provide information when data is collected from
the data subject

When personal health data is
collected from the data subject himself, the data controller shall
on his own initiative first inform the data subject of

the name and address of the data controller and of his
representative, if any,

the purpose of the processing of the personal health data,

whether the data will be disclosed and if, so, the identity of
the recipient,

the fact that the provision of data is voluntary, and

any other circumstances that will enable the data subject to
exercise his rights pursuant to this Act in the best possible way,
such as information on the right to demand access to data, cf.
section 22, and the right to demand that data be rectified and
erased, cf. sections 26 and 28.

Notification is not required if
there is no doubt that the data subject already has the information
in the first paragraph.

Section 24.
Obligation to provide information when data is collected from
persons other than the data subject

A data controller who collects
personal health data from persons other than the data subject shall
on his own initiative inform the data subject of the data which are
being collected and provide such information as is mentioned in
section 23, first paragraph, as soon as the data have been
obtained. If the purpose of collecting the data is to communicate
them to other persons, the controller may wait to notify the data
subject until such disclosure takes place.

The data subject is not entitled to
notification pursuant to the first paragraph if

the collection or communication of data is expressly authorized
by statute,

notification is impossible or disproportionately difficult,
or

there is no doubt that the data subject already has the
information which shall be contained in the notification.

When notification is omitted
pursuant to the second paragraph, no. 2, the information shall
nonetheless be provided at the latest when the data subject is
contacted on the basis of the data.

Section 25
Exceptions to the right to information and access

Access to personal health data
filing systems established for therapeutic purposes may be denied
pursuant to the provisions of section 5-1 of the Patients’ Rights
Act.

The right to access pursuant to
sections 21 and 22, second paragraph, and the obligation to provide
information pursuant to sections 20, 23 and 24 do not encompass
data

which, if known, might endanger national security, national
defence or the relationship to foreign powers or international
organizations,

regarding which secrecy is required in the interests of the
prevention, investigation, exposure and prosecution of criminal
acts,

which it must be regarded as inadvisable for the data subject
to gain knowledge of, out of consideration for the health of the
person concerned or for the relationship to persons close to the
person concerned,

to which a statutory obligation of professional secrecy
applies,

which are solely to be found in texts drawn up for internal
preparatory purposes and which have not been disclosed to other
persons,

regarding which it will be contrary to obvious and fundamental
private or public interests to provide information, including the
interests of the data subject himself.

A representative of the patient is
entitled to access to information to which the data subject is
denied access pursuant to the first paragraph and second paragraph,
no. 3, unless the representative is considered unfit thereto. A
medical practitioner or lawyer may not be denied access, unless
special grounds so indicate.

Any person who refuses to provide
access to data pursuant to the first or second paragraph must give
the reason for this in writing with a precise reference to the
provision governing exceptions.

If personal health data which are
inaccurate, incomplete or of which processing is not authorized are
processed pursuant to sections 5, 7 and 8, the data controller
shall on his own initiative or at the request of the data subject
rectify the deficient data. The controller shall if possible ensure
that the error does not have an effect on the data subject. If the
personal health data have been disclosed, the controller shall
notify recipients of disclosed data.

The rectification of inaccurate or
incomplete personal health data which may be of significance as
documentation shall be effected by marking the data clearly and
supplementing them with accurate data.

If weighty considerations relating
to protection of privacy so warrant, the Data Inspectorate may,
notwithstanding the second paragraph, decide that rectification
shall be effected by erasing or blocking the deficient personal
health data. If the data may not be destroyed pursuant to the
Archives Act, the Director General of the National Archives of
Norway shall be consulted prior to making an administrative
decision regarding erasure. This decision shall take precedence
over the provisions of sections 9 and 18 of the Archives Act of 4
December 1992 No. 126.

Erasure should be supplemented by
the recording of accurate and complete data. If this is impossible,
and the document that contained the erased data therefore provides
a clearly misleading picture, the entire document shall be
erased.

Sections 42 to 44 of the Health
Personnel Act shall apply to rectification and erasure of personal
health data in personal health data filing systems established for
therapeutic purposes. The second and third sentences of the first
paragraph apply correspondingly.

The data controller shall not store
personal health data longer than is necessary to carry out the
purpose of the processing of the data. If the personal health data
shall not thereafter be stored in pursuance of the Archives Act or
other legislation, they shall be erased.

In regulations laid down pursuant
to sections 6 to 8, it may be decided that personal health data may
be stored for historical, statistical or scientific purposes, if
the public interest in the data being stored clearly exceeds the
disadvantages this may entail for the person concerned. In this
case, the controller shall ensure that the data are not stored
longer than necessary in ways that make it possible to identify the
data subject.

Section 28.
Erasure or blocking of personal health data which are regarded
as disadvantageous by the data subject

The data subject may demand that
personal health data processed pursuant to sections 5, 7 and 8
shall be erased or blocked if the processing is considered to be
strongly disadvantageous to the data subject and there are no
strong general considerations that warrant processing the data. The
demand for the erasure or blocking of such data shall be made to
the data controller.

After the Director General of the
National Archives of Norway has been consulted, the Data
Inspectorate may decide that the right to erase data pursuant to
the first paragraph shall take precedence over the provisions of
sections 9 and 18 of the Archives Act of 4 December 1992 No. 126.
If the document that contained the erased data gives a clearly
misleading picture after the erasure, the entire document shall be
erased.

Demands for erasure of personal
health data in personal health data filing systems established for
therapeutic purposes shall be decided pursuant to section 43 of the
Health Personnel Act.

Notification shall be given not
later than 30 days prior to commencement of the data processing.
The Data Inspectorate shall give the controller a receipt of
notification. New notification must be given prior to processing of
personal health data that exceeds the limits for processing
provided for in section 30. Even if no changes have taken place,
new notification shall be given three years after the previous
notification was given.

The King may prescribe regulations
to the effect that certain methods of personal health data
processing or data controllers are exempted from the obligation to
give notification or are subject to a simplified obligation to give
notification.

Section 30
Content of the notification

The notification to the Data
Inspectorate shall provide information regarding

the name and address of the data controller and of his
representative, if any, and the data processor,

when the processing of the personal health data will
begin,

who has the day-to-day responsibility for fulfilling the
obligations of the controller,

the purpose of the processing of the personal health data,

an overview of the categories of personal health data that are
to be processed,

the sources of the personal health data,

the legal basis for collecting the personal health data,

the persons to whom the personal health data will be disclosed,
including recipients in other countries, if any, and

the security measures related to the processing of the personal
health data.

The King may prescribe regulations
regarding the data that notifications shall contain and
implementation of the obligation to give notification.

Section 31
The supervisory authorities

The Data Inspectorate supervises
that the provisions of the Act are complied with and that errors or
deficiencies are rectified, cf. section 42 of the Personal Data
Act, unless responsibility for supervision lies with the Norwegian
Board of Health or the chief county medical officer pursuant to Act
of 30 March 1984 No. 15 on government supervision of public health
services.

The supervisory authorities may
demand any data necessary to enable them to carry out their
functions.

In connection with its verification
of compliance with statutory provisions, the supervisory
authorities may demand admittance to places where personal health
data filing systems, personal health data that are processed
automatically and technical aids for such processing are located.
The supervisory authorities may carry out such tests or inspections
as they deem necessary and may demand such assistance from the
personnel in such places as is necessary to carry out the tests or
inspections.

The right to demand information or
admittance to premises and aids pursuant to the second and third
paragraphs shall apply notwithstanding any obligation of
professional secrecy.

The supervisory authorities and
other persons who are in the service of the supervisory authorities
shall be subject to provisions of professional secrecy pursuant to
section 15. The obligation of professional secrecy shall also apply
to information concerning security measures.

The King may prescribe regulations
regarding exemptions from the first to fourth paragraphs in the
interests of the security of the realm. The King may also issue
regulations concerning the reimbursement of expenses incurred in
connection with inspections. Recovery of any amount outstanding in
the reimbursement of such expenses may be enforced by
execution.

Section 32.
Authorization to issue orders

The Data Inspectorate may issue
orders to the effect that the processing of personal health data
which is contrary to provisions laid down in or pursuant to this
Act shall cease, or impose conditions which must be fulfilled in
order for the processing of the personal health data to be in
compliance with this Act. If, furthermore, it must be assumed that
the processing of personal health data may have adverse
consequences for patients, the Norwegian Board of Health may issue
such orders as mentioned. When the Data Inspectorate has issued an
order, the Norwegian Board of Health shall be informed accordingly.
When the Norwegian Board of Health has issued an order, the Data
Inspectorate shall be informed accordingly.

Orders pursuant to the first
paragraph shall include a time limit for compliance with the
order.

Decisions made by the Data
Inspectorate in pursuance of sections 26, 28, 31, 32 and 33 may be
appealed to the Privacy Appeals Board.

Section 33
Coercive fine

In connection with orders pursuant
to section 32, the Data Inspectorate may impose a coercive fine
which will run for each day from the expiry of the time limit set
for compliance with the order until the order has been complied
with.

The coercive fine shall not run
until the time limit for lodging an appeal has expired. If the
administrative decision is appealed, the coercive fine shall not
run until so decided by the appeals body.

The Data Inspectorate may waive a
coercive fine that has been incurred.

Section 34
Penalties

Anyone who wilfully or through
gross negligence

processes personal health data contrary to sections 16 or
18,

omits to provide information to the data subject pursuant to
sections 23 or 24,

omits to send notification to the Data Inspectorate pursuant to
section 29,

omits to provide information to the supervisory authorities
pursuant to section 31, or

omits to comply with orders of The supervisory authorities
pursuant to section 32,

shall be liable to fines or
imprisonment for a term not exceeding one year or both.

In particularly aggravating
circumstances, a sentence of imprisonment for a term not exceeding
three years may be imposed. In deciding whether there are
particularly aggravating circumstances, emphasis shall be placed,
inter alia on the risk of great damage or inconvenience to
the data subject, the gain sought by means of the violation, the
duration and scope of the violation, manifest fault, and on whether
the data controller has previously been convicted of violating
similar provisions.

An accomplice shall be liable to
similar penalties.

In regulations issued pursuant to
this Act, it may be prescribed that any person who wilfully or
through gross negligence violates such regulations shall be liable
to fines or imprisonment for a term not exceeding one year or
both.

Section 35
Compensation

The data controller shall
compensate damage suffered as a result of the fact that personal
health data have been processed contrary to provisions laid down in
or pursuant to this Act, unless it is established that the damage
is not due to error or neglect on the part of the controller.

The compensation shall be
equivalent to the financial loss incurred by the injured party as a
result of the unlawful processing of the personal health data. The
controller may also be ordered to pay such compensation for damage
of a non-economic nature (compensation for non-pecuniary damage) as
seems reasonable.

Chapter 7Relationship to other statutes.
Commencement.

Section 36
Relationship to the Act relating to the Processing of Personal
Data

Insofar as it is not otherwise
provided by this Act, the Personal Data Act and appurtenant
regulations shall apply as supplementary provisions.

Section 37
Commencement

This Act shall enter into force
from the date decided by the King. The King may decide that the
individual provisions of the Act shall enter into force on
different dates.

The municipality may order health
personnel who work within the framework of this Act to provide
information for use in planning, management and development of
municipal health services.
Disclosure of data subject to the duty of confidentiality
pursuant to the first sentence shall take place with the consent of
the person whom the data concerns, unless otherwise provided by or
pursuant to statute.

The county may order health
personnel who work within the framework of this Act to provide
information for use in planning, management and development of
county dental health services.
Disclosure of data subject to the duty of confidentiality
pursuant to the first sentence shall take place with the consent of
the person whom the data concerns, unless otherwise provided by or
pursuant to statute.

3. Act of 4 December 1992 No. 126
relating to Archives shall be amended as follows:

Section 9, litera c, third
sentence, shall read:

Personal data filing systems or
parts of a personal data filing system may however be erased
pursuant to the provisions of the Personal Data Act,
the Personal Health Data Filing System Act and provisions laid
down pursuant to sections 7 and 8 of the Personal Health Data
Filing System Act.

Section 9, litera d, second
sentence, shall read:

Provisions regarding erasure
prescribed pursuant to section 27, third and fifth paragraphs, and
section 28, fourth paragraph, of the Personal Data Act
and sections 7, 8 and 26, third paragraph, and section 28,
second paragraph, of the Personal Health Data Filing System
Act shall however apply in full.

Section 18, second sentence, shall
read:

The provisions of the Personal Data
Act
and the Personal Health Data Filing System Act regarding
rectification and erasure of data shall however apply in full.

4. Section 2-3 of Act of 5 August
1994 No. 55 relating to Control of Communicable Diseases shall
read:

Section 2-3.
The duty of medical practitioners to report cases. The duty of
nurses and midwives to give notification.

A medical practitioner who
discovers that a person is infected has a duty to report the case
in accordance with regulations laid down pursuant to the fourth
paragraph, notwithstanding the statutory duty of secrecy. A nurse
or a midwife who in the course of her activities discovers that a
person is infected has a duty to give notification in accordance
with regulations laid down pursuant to the fourth paragraph,
notwithstanding the statutory duty of secrecy.

Any person who pursuant to the
first paragraph receives information which is subject to the duty
of secrecy has the same duty of secrecy as the person who provides
the information.

When a medical practitioner who has
a duty to report pursuant to the provision in the first paragraph
submits a report identifying a person, the medical practitioner
shall inform the person concerned whom the report will be given to
and what it will be used for.

The King in Council may prescribe
regulations regarding the processing of personal health data,
including the use of names, personal identity number or other
characteristics that identify a natural person in accordance with
the Personal Health Data Filing System. The regulations shall state
the purpose of the data processing, and which communicable diseases
shall be subject to reporting or notification. The King in Council
may also prescribe regulations regarding the duty to report the
side effects of preventive measures, and regarding examination,
treatment and other measures pursuant to the Act. The King may
issue further provisions regarding who shall report or give
notification, and regarding requirements as regards the form in
which the data are to be reported, reporting forms and time limits
for reports and notifications, including who may or shall receive
reports and notifications.

Neither private nor public bodies
may implement systems for the reporting of communicable diseases in
humans without the consent of the Ministry. This shall not apply to
internal systems.

In the event of an outbreak of a
communicable disease that is hazardous to public health, or when
there is a danger of such an outbreak, and when it is necessary in
order for the control of communicable diseases, the Norwegian Board
of Health may with immediate effect impose on such persons as are
mentioned in the first paragraph temporary duties of reporting and
notification which deviate from regulations pursuant to the fourth
paragraph notwithstanding the statutory duty of secrecy.

Section 3-8, fifth paragraph, shall
read:

The King in Council may by regulations prescribe that
health care personnel, notwithstanding the statutory duty of
secrecy, shall provide information necessary for the implementation
of a control system based on vaccination registers, and lay down
rules for such registers, cf. the Act relating to Personal Health
Data Filing Systems.

Medical practitioners or midwifes
shall notify the Medical Birth Registry of deliveries and
termination of pregnancies following the twelfth week of pregnancy
in accordance with regulations laid down pursuant to the Personal
Health Data Filing Systems Act.

Section 37 shall read:

Section 37 Report to personal
health data filing systems, etc.

The King may order health personnel
holding an authorisation or licence to provide information to
health registers in accordance with regulations laid down pursuant
to the Act relating to Personal Health Data Filing Systems.